MD Anderson avoids $4.3M HIPAA penalty

Becker's Hospital Review

Jackie Drees

The U.S. Court of Appeals on Jan. 14 vacated University of Texas MD Anderson Cancer Center's $4.3 million HIPAA fine for losing more than 35,000 patients' protected health information.

The court ruled that HHS had acted arbitrarily and inconsistently in finding that the Houston-based cancer center had violated two information security regulations stemming from three data breach incidents in 2012-13, according to the U.S. Court of Appeals for the Fifth Circuit opinion filed Jan. 14.

In June 2018, HHS fined MD Anderson $4.3 million after completing its investigation of the theft of an unencrypted laptop from the cancer center and loss of two unencrypted flash drives. HHS found that while MD Anderson had encryption policies since 2006, it did not adopt systemwide encryption of electronic PHI until 2011. HHS' Office for Civil Rights said the cancer center also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and Jan. 25, 2013.

MD Anderson appealed the HHS fine in April 2019, arguing that...

Get the Morning Update

Thanks for subscribing!